Krebs on Security

In-depth security news and investigation

PayIvy Sells Your Online Accounts Via PayPal

Normally, if one wishes to buy stolen account credentials for paid online services like Netflix, Hulu, XBoxLive or Spotify, the buyer needs to visit a cybercrime forum or drop into a dark Web marketplace that only accepts Bitcoin as payment. Increasingly, however, these accounts are showing up for sale at Payivy[dot]com, an open Web marketplace that happily accepts PayPal in exchange for a variety of stolen accounts.

A PayIvy seller advertising Netflix accounts for a dollar apiece. Unlike most sites selling hacked accounts, this one takes PayPal.

Marketed and sold by a Hackforums user named “Sh1eld” as a supposed method of selling ebooks and collecting payments for affiliate marketers, PayIvy has instead become a major conduit for hawking stolen accounts and credentials for a range of top Web services.

There is no central index of items for sale via PayIvy per se, but this catalog of cached sales threads offers a fairly representative glimpse: License keys for Adobe and Microsoft software products, user account credentials in bulk for services like Hulu, Netflix, Spotify, DirecTV and HBO Go, as well as a raft of gaming accounts at Origin, Steam, PlayStation and XBox Live. Other indexes at archive.is and PayIvy’s page at Reddit reveal similar results.

It’s not clear how or why PayPal isn’t shutting down most of these merchants, but some of the sellers clearly are testing things to see how far they can push it: In just five minutes of searching online, I found several PayIvy sellers who were accepting PayPal payments via PayIvy for…wait for it…hijacked PayPal accounts! The fact that PayIvy takes PayPal as payment means that buyers can purchase hacked accounts with [stolen] credit cards — or, worse yet, stolen PayPal accounts.

Jack Christin, Jr., associate general counsel at PayPal, said while the site itself is not in violation of its Acceptable Use Policies (AUP), there have been cases where PayPal has identified accounts selling goods that violate its policy and in those cases, the company has exited those merchants from its system.

“PayPal proactively monitors sellers with PayPal accounts who use the Paylvy platform to ensure the products they are selling are in compliance with our AUP, and we take appropriate action when violations are discovered,” Christin said.

The proprietor of PayIvy (quite possibly this guy, according to many of his fellow Hackforums users) makes money off of the service by selling “premium” accounts, which apparently offer repeat sellers a way to better track and manage their sales. Appropriately enough, among his ebook offerings via PayIvy is a tutorial on how to avoid getting one’s account banned or limited by PayPal. PayIvy did not respond to requests for comment.

Sh1eld makes clear how he feels about his users selling hacked accounts to pay services via his site in this thread, where he posts about takedown requests from a company representing Netflix.

“We are not under any obligation to follow any site’s TOS [terms of service],” he wrote. “However, we will take actions regarding copyrighted content, malicious files, or child pornography.”

I wonder how this individual would feel about people selling stolen PayIvy premium accounts?

Update, 10:33 a.m. ET: PayIvy just sent the following message to all of its sellers: “Starting May 15th, PayIvy will be banning all netflix accounts. If you are still selling these accounts, we advice you to stop as your paypal account will be limited as part of PayPal AUP. You have 9 days to delete your Netflix products before we do a search and remove them ourselves.”

This entry was posted on Wednesday, May 6th, 2015 at 12:57 am and is filed under A Little Sunshine, Web Fraud 2.0.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

How will you have any credibility if you don’t get the facts straight and promote interests by bending facts. You started off from a service allowing people to sell anything legal to misleading people that the service itself promotes selling people hacked accounts.

But it’s true. All that’s sold on PayIvy are greyhat/blackhat ebooks which don’t even work and online accounts. There’s not much past that on Hack Forums’ and Leak Forums’ marketplaces which PayIvy advertises on.

Most of these folks are hiding in hostile countries. How exactly do you think you would get cash to them, and more importantly why would they bother actually following through for you when they got it.

brian this is nothing to do with paypal but after reading things and installing no script on fire fox have not put it on chrome yet, but it wont let me get into a site i work on for our california wildfires every day, its brush fire partyline on facebook i am a scanner transcriber and folks look to us for info on their local fires,, how do i get back onto facebook – i am not a facebook fan i am only on there to help folks with fire info .. would really like to hear from you on this,, thank you

NoScript is a utility/plugin that you really have to play with to finally determine what scripts are friendly and some that may not.

If you select “Allow all on page” this can get you back to square one, and then you can selectively block or unblock each script until you get functionality with as few running scripts as possible. It may seem like a pain at 1st, but you get the hang of it after a while. You could always uninstall it and try ScriptSafe in Chrome as well. It works in a similar way.

Some years ago I working as a consultant at eBay, and we found someone selling a service to defraud eBay by click fraud in their affiliate network. He was selling using PayPal (owned by eBay) so we signed up for his service, got is PayPal account details, and had access to his name, address, bank account details, and complete customer list. He later ignored a cease and desist notice, so ended up doing prison time for conspiracy to commit wire fraud.

However, investing a case like this takes a long time, especially if law enforcement is involved. I suspect that PayPal is being proactive about this, their InfoSec department is pretty militant, but it may just take a while for the hammer to fall.

> investing a case like this takes a long time,
why does “investigating” take a long time? The approach you took of signing up, getting the details and tracing the account holder (crook) sounds like classic law enforcement sting operations. Establish the criminal act (selling stolen property sounds like a start), get warrants, arrest the miscreant, seize the site (if they are in US jurisdiction), maybe operate the site for a while to find other crooks, and this mole is whacked.

Uh oh. Maybe THAT is why this site isn’t closed? BK – did you check to see if there is (or they will admit to you) a continuing operation?

PayPal TOS:

“You may not use the PayPal service for activities that:
1) violate any law, statute, ordinance or regulation. [ pretty clear! ]

“Investigating” takes a long time if you think the case needs to be prosecutable – which is the official mission of most investigative units, public and private.

Meeting standards for evidence – particularly federal standards – means amassing data that’s well verified, and you must also prove that any alternative theories of the case or any possible justified actions can’t possibly pertain or no prosecutor’s going to waste time on the case you developed.

Yes, you can think of cases that make the above a total joke. And those cases are taught to investigators as Do Not Do This.

Further, most investigative units today also serve an intelligence function. Intelligence gathering and investigation are nearly polar opposites. If you’re doing intel and spot a wrong-doer, you don’t stop them. You watch them – maybe even encourage them – to see what they do, how they do it, and who they do it with. You try to swim up stream to find the boss and develop methods to detect and stop them from doing whatever it is except when you want them to do it.

If you’re doing investigation and spot a wrong-doer, you pop them before they do more wrong.

In a mixed environment, you spend a lot of time back-and-forthing with superiors over What You Do Now? And you spend time generating a lot of documentation that, when prepared and sent one way, fosters intel gathering and, when prepared and sent another way, fosters law enforcement.

P.S. I’m not affiliated in any way with PayPal and read their official response to Brian Krebs as, “Wuh, wait, something happened somewhere?,” not as, “Dude, we’s been going deep on this one to find Dr. Ebil.”

I complained to eBay of unsolicited selling out of eBays site by sellers from China, who I purchased from using eBay and PayPal. EBay told me the sellers could get my private email information from PayPal which is in violation of customers privacy.
I was blow away by the response from eBay.

Normally, I don’t call out commenters like this, but you have now posted under three different names, including eron, kren and david — I’m guessing to provide the illusion of having a number of defenders of your service.

Haven’t you at least got a proxy you can use so that you don’t post comments all from the same Canadian IP?

Going forward, it’s probably best if you just use your real name, Ton. At least you were honest by using the “wbmusicboxan” email address that was cited in the dox linked to in this article.

Brian, I don’t know how long this sort of lax behavior on PayPal’s part may have gone on (i.e., recent vs. many months or years), but do you infer a viewpoint one way or another whether there is any correlation of the failure to crack down on such criminal activity with the impending split between eBay and PayPal into completely separate business entities?

Krebs writes what he believes. He doesn’t even realize the fact that PayIvy has been taking actions against these sellers just like that email I received about PayIvy banning netflix accounts. Promotes actual facts with credible sources next time .

There are very few ways to make money via cyberspace. One of the best ways comes in the form of advertising (which include things that grab attention…..what better example of this is there then Facebook and Twitter?) The days of people doing things based on their heart-felt passions for technology is over. That is so dead and buried. I can see the writing on the wall for my own cyber-existance and the only way to change that is for me to change and become a twit mac cultist brainwashed into thinking that Gates is the new Elvis.

You want to know what the point is? Check your cookies sometime.Take a look at the cloud and see the never ending line-up of Mac branded terminals as they sport their flashless flash. A big part of the idea is control (and it’s not yours).